Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does OpenID work?

Tags:

openid

Can someone help me understand how OpenID works? I'm interested in the following answers:

  1. Do you still have to store user ids and passwords if using OpenId?
  2. How does my application create a new session when a user logs in?
  3. When users log out of the application do I need to do anything other than clear their session data? Do I need to inform the openId server?
like image 683
Mohamad Avatar asked Nov 10 '10 17:11

Mohamad

2 Answers

I recently made an openid authentication system this is how it works.

login:

  1. User puts in openid url (not necessarily unique),
  2. Openid provider verifies and provides a unique openid url, on success.
  3. Put this url in the session.

authenticate request:

there is a table that maps openid url to user.

for each request:

  1. Look for openid url in the session
  2. If exists, lookup user record and attach it to the request
  3. Process the request.

Do you still have to store userIDs and passwords if using openId?

userIDs yes, passwords no (unless you provide other ways to login except openid)

How does my application find out and create a new session when someone logs in?

Sessions are handled as normal, sessions are for authenticated and unauthenticated users.

When I use logs out of my own application, do I need to do anything more than just clear their session from my application? (Do I need to inform the openId server?)

Nope.

like image 62
dan_waterworth Avatar answered Oct 16 '22 16:10

dan_waterworth

My understanding is the following:

  1. OpenId allows users to log in in a decentralized manner. Which means the the user's login credentials are handled by one site, the provider

  2. Your system will interact with the provider to determine if a user is who they say they are. If they pass that check, your system logs them in.

  3. You still need to store some user information because the details of how they can use your system must be stored within your system.

So, if Google is an open id provider, SO can verify that I logged into google and am who I say I am. SO then says, great, this user is hvgotcodes in our system and gives me privileges that make sense for who I am in SO.

In answer to your specific question about logout, yes, you still log the user into your system after the open id provider verifies the users credentials, and hence you can handle their log out status from your own system.

like image 3
hvgotcodes Avatar answered Oct 16 '22 15:10

hvgotcodes
Sign in to Comment

Related questions

Migrating Google OpenID to OpenID Connect: openid_id does not match
Token from identity server connection\token is not valid for my API
Easiest way to authenticate user in iPhone app?
Setting up a OpenID provider for testing
How do I know my OpenId Identity URL?
Wordpress OpenID doesn't work with StackOverflow
Azure Active Directory: Get user's UPN with OpenID Connect authentication
Using OpenID for website Authentication
How can I imitate Stack Overflows SSO? Particularly where it federates with serverfault.com?
Appengine application as OpenId provider. Is it possible?
If OpenID, what user data do I still need to save
Is there any C-language (or even C++) OpenID library around somewhere?
Authenticate flutter app with keycloak and openid_client
OpenID Library for PHP 5.3 [closed]
Why isn't information about the openID user coming through the protocol?
Is MSN an OpenID provider?
List of openid urls [duplicate]
Confusion on using django socialauth
OpenID Discovery Methods - Yadis VS HTML
OpenID and FB Connect Tutorial

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!